Canadian banks have long been reluctant to talk about losses from cyber attacks.

Rick Waugh, chief executive of the Bank of Nova Scotia, said in an interview earlier this year that’s partly because disclosing details of a successful network break-in would be like giving a road map to the bad guys.

Another plausible explanation for the banks’ reticence might have to do with reputation: By owning up, a bank is admitting it could be vulnerable and potentially providing customers with a reason to leave. [np-related]

But whether or not they want to talk about it, banks are increasingly buying insurance to protect against losses from computer breaches.

“Everybody’s worried about it, especially financial institutions, because a lot of the information they have is very sensitive,” said Michael Petersen, a practice leader at Marsh Canada.

Mr. Petersen said the Canadian market is “rapidly evolving” and has been for the past five years, especially in the wake of a string of high-profile incidents ranging from rogue employees at tax haven banks selling customer account information, to garden variety debit card theft, to a full-scale network break-in at New York-based Citigroup affecting hundreds of thousands of account holders across North America.

There are now more than 26 underwriters offering such policies designed specifically for the financial sector, including Chubb Corp., ACE Ltd., Chartis and Kiln Group Ltd., compared with barely a handful 10 years ago.

“Every organization is trying to figure out their exposure and the potential losses they could face,” Mr. Petersen said. “When you assess your risk you have to both look outside the organization and within. You have to take a close look at your employees to ensure incidents don’t occur, but even with all that mistakes happen, memory sticks can be stolen….”

Annual cyber risk insurance premiums for the United States alone are worth as much as $1-billion a year, according to analyst estimates.

The federal Privacy Commissioner has guidelines requiring organizations to notify affected customers following a breach in which personal information is stolen, but there’s no rule about broader public disclosure. Presumably, securities rules around disclosure of material events would cover major network break-ins but such events are rarely, if ever, mentioned in financial reports or press releases by financial companies. That may be about to change.

Last fall, the U.S. Securities and Exchange Commission announced that public companies of all kinds must disclose details of all network breaches resulting in material losses, including the actual costs to the company as well as the nature of the attack.

Meanwhile, at least 46 states have brought in similar legislation of their own.

“There has been an evolution of the laws in the U.S. but here in Canada disclosure requirements aren’t as broad,” said Mr. Petersen, who added that “over time” he anticipates that lawmakers in this country will follow suit with the tougher rules being put in place south of the border.

But even in the U.S., the rules around what companies need to do after a cyber attack are a work in progress — largely because the technology itself is changing and developing so quickly. Back when many of today’s laws were first mapped out computer hacking was mostly a nuisance activity carried out by bored teenagers looking to deface a website or, at worst, disable an e-commerce portal.

Today, many of the hackers are sophisticated criminals bent on stealing money or financial information, financial companies are spending a lot more to defend themselves.

Often, one of the biggest challenges for victims is to determine the extent of the damage — what information has been taken, how many customers are affected and so on. Sometimes, it takes days or even weeks before there are clear answers to those questions.

Typically, in the case of banks, it’s the customers that are targeted first and the hackers then use the stolen passwords to break into their accounts, according to José Fernandez, a software engineering professor at Ecole Polytechnique de Montreal.

“Ninety nine percent of the time it’s the customer that gets hit,” he said, adding that credible loss estimates for North America are probably in the low billions of dollars.

So far, he suspects, most banks are willing to cover the cost themselves without relying on insurance.

That’s because taking out insurance and making claims would involve a higher level of disclosure than players are comfortable with.

But with the increase in hacking incidents and higher losses that may soon change.